As Brit cyber-spies drop 'whitelist' and 'blacklist', tech boss says: If you’re thinking about getting in touch saying this is political correctness gone mad, don’t bother

The British government's computer security gurus have announced they will stop using the terms whitelisting and blacklisting in their online documentation.

The National Cyber Security Centre (NCSC), part of GCHQ, said on Friday it would, following a request from a customer, eliminate the terms when describing including and excluding specific applications, websites, weak or leaked passwords, and so on.

Instead, it will use the terms "allow list" and "deny list" in material published on its website.

The aim, said NCSC head of advice and guidance Emma W, is to avoid linking "black" with bad and "white" with good, and the racial connotations they carry.

"From now on, the NCSC will use 'allow list' and 'deny list' in place of 'whitelist' and 'blacklist' on our website. Which, in fact, is clearer and less ambiguous," said Emma.

"So as well as being more inclusive of all, this is a net benefit to our web content. We are editing our guidance across the website to update the terms, but if you do spot any in the meantime then please do contact us."

The NCSC noted the policy change was only a small gesture in a much larger effort to drive prejudice from technology and cyber-security industries, but noted that every small step helps.

"You may not see why this matters. If you're not adversely affected by racial stereotyping yourself, then please count yourself lucky," Emma said. "For some of your colleagues (and potential future colleagues), this really is a change worth making."

The centre also shared an additional statement from technical director Ian Levy and the board of directors in anticipation of a knee-jerk internet backlash:

"If you’re thinking about getting in touch saying this is political correctness gone mad, don’t bother."

These aren't the first problematic terms to be deprecated in technical vocabularies. For instance, "master" and "slave" to describe storage drives, databases, and similar stuff have been dropped by organizations and companies in favor of "primary" and "secondary."

In response to the NCSC announcement, some asked if this will mean an end to "white hat" and "black hat" to describe those in defensive and offensive security roles, respectively. ®